Episode158

From Paul's Security Weekly
Revision as of 18:38, 2 July 2009 by Mick (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 158 - July 2, 2009

  • NY Infraguard CTF - Two day Capture the Flag Event on July 21 - 22, 2009 at Cisco Systems, 1 Penn Plaza, 9th Floor. The event will be held from 9:00AM to 5:00 PM both days.
  • DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam with the tantalizing title of "FAIL". We will also be having an invite-only party, so stay tuned


Special Guest Panel - Chris Gerling Jr., Jason Mueller, Christopher "Securinate" Mills, Anthony Gartner from SecuraBit

Our guests will talk about Helix Pro, current security events, and well, whatever the heck pops into their evil heads.

Tech Segment: Sniffing DECT for fun and Penetration Testing with Larry Pesce

Lest you believe DECT is a deli meat, DECT stands for Digital Enhanced Cordless Telecommunications. [Mikep]

Sniffing DECT the dedected.org way

I'm always on the lookout for new ways to do recon for an assessment, or to be aware how folks could be performing recon against an organization. Being aware of recon methods helps n being able to make recommendations on potential exposure.

One of the things that can be highly successful for recon on a target is wireless. I'm not talking 802.11 wireless networks, but other wireless technologies; walkie talkies, cordless phones, etc.

Yes, cordless phones. We've talked about wireless headsets in the 900mhz range in the past, and we've even discussed assessments where they have been successful for gaining network credentials. Just use your programmable radio scanner outside of your target's call center, and boom!

There are plenty of other places that I note that cordless phones are in use. I cant recall the number of times that I'm in a small to mid to large business, often a franchise, and the manager on duty is carrying a cordless phone. I've witnessed them answer the phone to talk to customers, co-workers in another location, or even the tech support folks when they have computer issues (SCORE!).

Be careful here. In your jurisdictions it may be illegal to intercept cordless phone conversations

Of course, this is easy with 900 Mhz phones/headsets and your police scanner. 2.4 and 5.8 Ghz phones require a bit more work, such as modding appropriate scanner, or obtaining an older model scanner. Again, this may be illegal in your jurisdiction!

Don't forget about baby monitors! They come in all frequency flavors as well, and from the best I can tell, the legality is mostly different, as thy are not usually connected to telephone infrastructure. I'm not a lawyer, so check on the legality. (Boy, I sound like a broken record.

With the evolution of wireless communication gear, we get to upgrade to digital technology, or DECT (Digital Enhanced Cordless Telecommunications). With this move to digital transmissions, our police scanner is of little use. Even now, enterprise telecom infrastructure providers are beginning to implement DECT in their gear. Think call center again...

Enter the deDECTed Project and the Dosh Amand DECT PCMCIA cards.

The deDECTed folks created an app to be able to interface with specific Dosh Amand DECT cards, and turn them into DECT sniffers. The software is readily available from dedected.org, but the PCMCIA cards are a little bit more difficult to acquire. Assuming we can get ahold of a card, let's configure deDECTed and capture us some audio - with permission of course!

A big thanks to Twitchy for loaning me his DECT PCMCIA card, as well as pointing me down the right path with deDECTed.

What you'll need:

  • A linux installation with build environment
  • A Dosh Amand COM-ON-AIR Type 2 PCMCIA Card Let's get started. First we need to obtain a copy of deDECTed from SVN:
    $ svn co https://dedected.org/svn/trunk dedected 
    

    Then we need to change into the new dedected directory and begin compiling our tools. We'll be specifying just the tools directory here, as the rest of the project includes some other items that we aren't concerned with at the moment, such as the Kismet plugin.

    $ cd /dedected/com-on-air_cs-linux
    $ make && make -C tools
    

    Once the compilation of the tools directory has completed, we need to make our drivers and create the system device. We now need to execute two more make commands, as root to do this

    # make load
    # make node
    

    A NOTE OF WARNING: After the system has detected and identified the PCMCIA card, do not eject the card; the system will instantly kernel panic. It is a known issue and know you know.

    We then can verify that DECT goodies are showing up by issuing dmesg, and looking at the end of the output. Once we have verified that the system can see the card we now need to fire up the CLI interface appropriately named dect_cli. We need to be root to do so, in order to be able to access the raw device (or change the permisions on the device with "chmod 666 /dev/coa")

    $ cd tools
    # ./dect_cli
    

    Now we have access to the dect_cli console. It doesn't give you a nice prompt, just a blank line, waiting for input. Let's give it a few commands:

    verb
    

    This will set verbose output ON. Now, here in the US we need to set the appropriate channel range for "DECT 6.0". Otherwise, in other countries, you'll likely skip this step (But, what is to prevent someone from brining a US model abroad?)

    band
    

    In order to channel hop, auto discover calls and record them to pcap output, we use the following command:

    autorec
    

    This starts the channel hopping, and auto call recording. YET ANOTHER NOTE: At this time while auto call detection and recording is happening you still have access to the command line. In order to properly write out the pcap files you need to issue:

    stop
    

    It you don't the pcap files can be improperly terminated. I actually missed my first couple of recordings because I forgot to do this, and it didn't write any files at all.

    Well, ok that's cool. We now have some pcap files, but how do I listen to them? the deDECTed folks have included some conversion tools to make .ima files. We also will want to convert them to .wav, so we will ned a few more tools, decode and sox.

    I installed sox using apt-get, so this one will vary by os. I used:

    # apt-get install sox
    

    We also need a modified version of decode from http://www.ps-auxw.de/g72x++.tar.bz2. Here is how I obtained and compiled:

    $ wget http://www.ps-auxw.de/g72x++.tar.bz2
    $ bzip2 -d g72x++.tar.bz2
    $ tar -xvf g72x++.tar
    $ cd g72x
    $ ./build.sh
    

    After the build we can use the following script to use decode and sox to output wav files. Don't forget to update the script to reflect the current paths for sox, decode-g72x, and pcap2stein (from the deDECTed tools) on your system. Here's the script form the deDECTed project (at https://dedected.org/trac/wiki/COM-ON-AIR-Linux):

    SOX=/usr/bin/sox
    
    for i in `/bin/ls -1 *.pcap` ; do
            ./pcapstein $i
    done
    
    #decoder for g.721
            for i in *.ima ; do
                    cat $i | ./decode-g72x -4 -a | sox -r 8000 -1 -c 1 -A -t raw - -t wav $i.g721.wav;
            done
    
    #decoder for g.726.R
            for i in *.ima ; do
                    cat $i | ./decode-g72x -64 -l -R | sox -r 8000 -2 -c 1 -s -t raw - -t wav $i.g726.R.wav;
            done
    
    #decoder for g.726.L
            for i in *.ima ; do
                    cat $i | ./decode-g72x -64 -l -L | sox -r 8000 -2 -c 1 -s -t raw - -t wav $i.g726.L.wav;
            done
    

    Once converted, listen away, and enjoy the fruits of your labor. Hopefully the audio is not common drivel often found on personal phone calls or on baby monitors. Here's hoping for credentials on all of your assessments!

    Tech Segment: Mick Douglas loves Kon-Boot

    If you're anything like me you hate having to do password cracking via brute force. So you "cheat" and use things like dictionary files or rainbow tables... and that's cool. I use them quite often.

    But what if there were an easier way? What if there were a great way to just bypass authentication altogether? That my friends is the magic of Kon-Boot. Just boot and go! Really, it's that easy! Try it yourself and see.

    But wait there's more! It works on both Windows and Linux!! Hotness!

    So now next time you have a machine that you need to pwn, (with written permission first!) reach for this handy-dandy tool. You'll be glad you did, I know I am.

    (Thanks John for suggesting this as a topic. Thanks Paul for bringing this into my awareness)

    Stories For Discussion

    1. Pwning your iPhone 140 characters at a time. - [Larry] - Good ole Charlie Miller talked about vulnerabilities in the iPhone via processing SMS messages. While they are limited to 140 characters, they iPhone will reassemble...and the SMS app runs as root.
    2. McGrew, McGraw, McGruff? - [Larry] - Wesley McGrew tuned over information that leads to the arrest of an alleged hacker - who was a contracted security guard for a medical facility. Insert discussion on the insider threat here...
    3. Didier eats PDFs for breakfast - [Larry] - I mean seriously, Didier appears to have taken it upon himself to find more ways to abuse the PDF spec, this time by hiding embedded files inside the document, with valid tags, that are then rendered invalid. Hmm, this sounds like a great way to either exfiltrate or infiltrate data....
    4. Managing firewall rules can be a nightmare - [Larry] - Wow, think about all of these scenarios for managing firewall rules. I can see how this can get out of hand, and opening up issues as time progresses, especially in larger environments.
    5. FBI typically uses National Security Letters along with a gag order, but when challenged by EFF, instead issues a classified declaration that justifies the gag order - [mikep] - EFF issues WTF?! in response.
    6. China's 'Green Dam Youth Escort' internet monitoring software to go into effect July 1st - [mikep] - China plans to censor pr0n and other unhealthy information for all youth.
    7. Trojan Downloader for Michael Jackson death related video - [mikep] - "Don't stop til you get enough" indeed.
    8. Firefox 3.5 released! - [Mick] - my second favorite browser has an upgrade. It's full of FAST! Not all the plug-ins are compatible... for now. (YSlow & TestGen4Web, I miss you very much. Please upgrade too. kthxbyi)
    9. Pirate Bay: SOLD! - [Mick] - All I can say is Whiskey Tango Foxtrot.
    10. iPhone heat DoS - [Mick] - all electronics have safe operating ranges... but this might be a bit of a problem... no iPhone in Vegas @ DEFCON?
    11. Was our grid hacked? - [Mick] - looks like the power companies are taking the threat to the grid a bit more seriously. We'll keep an eye on this one...
    12. Users don't do maintenance - [Mick] - After careful study, it appears that most users do not take care of the basics... AV, patches, etc. In other news, water is still wet.  ;-)
    13. No Jackpots for you! - [Mick] - Sad about this one. :( This was probably the talk that I and most other Black Hat attendees were looking forward to. Now it looks extremely likely that this isn't going to happen.

    Other Stories For Discussion

    1. Britney Spears literally hacked to death - [mikep] - Death by Twitter! Attacker gained access to some of Twitter's account reset/support tools and seemingly managed to reset the account and post some fake death notices.